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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address — 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )KI Responsive to communication(s) filed on 09 October 2009 . 
2a )^ This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-10 and 12-21 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) |EI Claim(s) 1-10 and 12-21 is/are rejected. 

7) 0 Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) Q The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

20 Certified copies of the priority documents have been received in Application No. . 

3.Q Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

1 . This is a Final Office Action in response to communication received 9 October 2009, 
wherein: Claims 1, 8-10, 12, 16, 17, and 19 have been amended; 

Claim 11 has been cancelled; 

Claims 20 and 21 have been newly added; therefore, 

Claims 1-10 and 12-21 are pending. 

Response to Arguments 

2. As to Applicant's remarks regarding deficiencies in the prior art to teach most specifically 
the last "generate" clause of independent claims 1 and 12 (pages 1 1-13 of Remarks dated 9 
July 2009), Examiner notes that [i]n considering disclosure of reference patent, it is pertinent to 
point out not only specific teachings of patent but also the reasonable inferences which one 
skilled in the art would logically draw therefrom. In re Shepard, 138 USPQ 148 (CCPA 1 963). 
As Applicant notes (first paragraph, page 12 of Remarks dated 9 July 2009), Baudoin teaches 
generating a list of corrective actions using the rating, executing the list of corrective actions to 
create a new security information policy and practice (Abstract). Examiner asserts that 
generating a list of corrective actions is generating a plan. Executing the list of corrective 
actions is implementation. That different words are used does not effectively serve to 
patentably distinguish the claimed invention over the prior art. 

Furthermore, McKenna teaches a ensuring that a plan is in place to transition from the 
present system to the new system which includes design security profiles and design security 
architecture ([0082]-[0084]). That McKenna teaches signing off as part of the plan as well does 
not negate the fact that McKenna teaches a plan for transitioning from one system to another. 
Examiner notes that [hjaving established that this knowledge was in the art, the examiner could 
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then properly rely, as put forth by the solicitor, on a conclusion of obviousness from common 
knowledge and common sense of the person of ordinary skill in the art without any specific hint 
or suggestion in a particular reference. In re Bozek, 163 USPQ 545 (CCPA 1969). 

3. As to Applicant's remark that a person of ordinary skill in the art would not have been 
prompted to combine the teachings of the references to achieve the claimed subject matter 
(page 13 of Remarks dated 9 July 2009), Buteau discloses objectives to [pjrovide for the 
representation of planned or possible future architectures... Extend gracefully to encompass 
alternative (non-TAFIM) or future perspectives on technologies, services, etc. In this 
framework, Buteau takes into account Architecture Component Associations, entities that 
identify associations or relationships between enterprise components (e.g., technology 
distribution over locations). Instances of these entities cannot be identifies independently from 
the component entities they interrelate; therefore, they must be the last parts of an enterprise 
architecture to be specified. Attributes and relationships of these entities are likely to change 
significantly over time in ways that are important to the architecture and planner. These entities 
as described above are... system components, technology acquisitions, technology acquisition 
items, technology security, and technology sets (column 5, line 32 - column 6, line 47; 
Figure 7). Ruffin discloses considerations of technology security with regard to software and the 
network environment (column 14, lines 1-28). Examiner notes that [t]he question is whether 
there is something in the prior art as a whole to suggest the desirability, and thus the 
obviousness, of making the combination. Lindemann Maschinenfabrik GMBH v. American Hoist 
& Derrick Co., 221 USPQ 481 (Fed. Cir. 1984). 

Examiner further notes that the test for obviousness is not whether the features of a 
secondary reference may be bodily incorporated into the structure of the primary reference, nor 
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is it that the claimed invention must be expressly suggested in any one or all of the references; 
rather, the testis what the combined teachings of the references would have suggested to those 
of ordinary skill in the art. In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981). Therefore, 
a person of ordinary skill in the art would have been prompted to combine the teachings of 
Buteau, Ruffin, Baudoin, and McKenna. 



Claim Rejections - 35 USC §103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 1-10, 20, and 21 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Buteau et al., U.S. Patent Number 6,442,557 B1 (hereinafter Buteau) in view of Ruffin et 
al., U.S. Patent Number 6,249,769 (hereinafter Ruffin) in view of Baudoin et al., U.S. Patent 
Number 7,290,275 B2 (hereinafter Baudoin) and further in view of McKenna et al., U.S. Patent 
Application Publication Number 2004/0010772 A1 (hereinafter McKenna). 



Regarding Claim 1: 

Buteau discloses a method of computer modeling integrated business and information technology 
frameworks and architecture in support of a business, comprising: 

Identifying, in a computer, manageable entities of the business and an existing information technology 
supported by each manageable entity (column 1 , line 58 - column 2, line 24; focuses on the logical 
dependencies between an enterprise and its technologies. ..a wide variety of information about the 
current enterprise architecture must be collected and analyzed... answer a wide range of strategic 
questions about the current state... (column 2, lines 53-63); 

generating, by the computer, an overall architecture for the business, the overall architecture defining how 
the manageable entities relate to each other and to the existing information technology (column 2, lines 
53-63; entities of the work flow model, the information model and the technology model are linked 
defining relationships... column 5, lines 43-51); 
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wherein the overall architecture contains a plurality of components, the plurality of components including 
a strategic plan (column 1, lines 58-67; column 11, line 59- column 12, line 32; column 20, lines 62-66), 
a business architecture (column 2, lines 14-17), an information architecture (column 15, line 24 - column 
17, line 37), an application architecture (column 21, line 49 - column 22, line 14), a technology 
infrastructure architecture (column 17, line 38- column 22, line 62),... and an enterprise information 
technology management framework (column 6, lines 29-47); 

implementing, in the computer, a common language in order to articulate the overall architecture (column 
7, lines 19-34); and 

generating, by the computer, a graphical representation of the overall architecture for the business 
according to the common language (column 7, lines 19-34; Figure 7). 

Buteau does not explicitly disclose determining, by the computer, information technology requirements for 
the business in response to the existing information technology and the relationship among the 
manageable entities; generating by the computer a plan for implementation and deployment of future 
information technology among the manageable entities based on the determined information technology 
requirements for display by the computer within the graphical representation of the overall architecture, 
the plan including a future security architecture based on the future information and a transition between 
a current security architecture and the future security architecture, wherein each of the current security 
architecture and future security architecture includes a corresponding set of a security objective and a mix 
of security measures. 

However, Ruffin does disclose determining by the computer information technology requirements for the 
business in response to the existing information technology and the relationship among the manageable 
entities (Abstract; column 3, line 10 - column 4, line 64). Buteau discloses optimal priorities for 
technology upgrades... interrelationships between the people 20 in the enterprise, the location(s) 22 of 
the enterprise, the processes 24 used in the enterprise, the information 26 used by the enterprise, and 
the technology components 28 of the enterprise and an organization generating and collecting 
information to help develop, for example, a common MIS [Management Information System] architecture 
(column 1 , lines 1 5-42). Therefore, it would have been obvious to one of ordinary skill in the art at the 
time of the invention to incorporate the automation of determining what a business requires after first 
gathering the information about the current state in order to provide support for decisions. 

Ruffin further discloses generating, by the computer, a plan for implementation and deployment of future 
information technology among the manageable entities based on the determined information technology 
requirements (Abstract; column 3, line 10 - column 4, line 64). For example, Ruffin discloses that [t]he 
customer is prompted to address questions on a detailed input template for each of the ranked partitions. 
The answers and the opportunity identified within each of the ranked partitions are each provided to an 
opportunity tool set comprising logic tools such as sizers, proposal generators, financial tools, work 
assessment tools, planning tools and architectural templates, each of which may be custom tools or 
standardized software packages, for determining factors such as architecture, the work plan and the 
financial business case associated with enhancements recommended for a particular partition (column 4, 
lines 40-53). 

Buteau discloses, for example, relationships between enterprise components (e.g., technology 
distribution over locations). Instances of these entities cannot be identified independently from the 
component entities they interrelate; therefore, they must be the last parts of an enterprise architecture to 
be specified. Attributes and relationships of these entities are likely to change significantly over time in 
ways that are important to the architect and the planner. These entities as described above are 
implementation use, information access, ...technology acquisitions, technology acquisition items, 
technology distribution, technology item types, technology security, and technology sets (column 5, lines 
21-42; column 6, lines 6-39). Therefore, it would have been obvious to one of ordinary skill in the art at 
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the time of the invention to modify the invention of Buteau with that of Ruffin to generate a plan for 
implementation/deployment of future information technology in order to ensure a smooth transition. 

Baudoin discloses a security architecture component describing how security measures fit into the overall 
architecture of the business to meet security objectives of the business (Abstract; Figure 4). Baudoin 
further discloses that the security assessment matrix may be used as a list of recommendations to detail 
how the organization may attain its information security goals (column 51 , line 50 - column 52, line 57). 
Setting objectives and determining measures to achieve the objectives are old and well-known for an 
enterprise. Buteau teaches an objective to [pjrovide for the representation of planned or possible future 
architecture and to [e]xtend gracefully to encompass alternative (non-TAFIM) or future perspectives on 
technologies... with consideration to technology security (column 5, line 21 - column 6, line 48; Figure 7). 
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to 
modify the invention of Buteau with that of Baudoin to consider security objectives and security measures 
in order to meet the set objectives. 

And, McKenna discloses detailed transition and contingency plan sign-off 850 is provided for ensuring 
that a plan is in place to transition from the present system to the new system, which includes a design 
security profiles sign-off 856, and... a design security architecture sign-off 866 ([0082]-[0084]). Both 
Buteau (column 5, line 21 - column 6, line 48; Figure 7) and Ruffin (column 13, line 38 - column 14, line 
28) disclose considerations of technology security. Therefore, it would have been obvious to one of 
ordinary skill in the art at the time of the invention to incorporate the security architecture plans and 
transition phase in order to protect the information of an enterprise and to ensure a smooth transition. 



Regarding Claim 2: 

Buteau further teaches wherein the overall architecture addresses people, processes, and technology of 
the business (column 1, lines 30-35). 



Regarding Claim 3: 

Buteau further teaches wherein the strategic plan component includes a business plan, a product plan, a 
financial plan, an organization plan, a marketing plan, and a future information technology plan in support 
of the aforementioned plans (column 1 , lines 58-67; column 1 1 , line 59 - column 12, line 32; column 20, 
lines 62-66). 



Regarding Claim 4: 

Buteau further teaches wherein the business architecture component defines current business 
direction, objectives, and supporting processes as well as future direction, objectives, and supporting 
processes (column 2, lines 14-17). 



Regarding Claim 5: 

Buteau further teaches wherein the information architecture component provides information and data 
management precepts, an information-application software portfolio, and a geo-structural view of existing 
and future information technology deployment (column 15, line 24 - column 17, line 37). 



Regarding Claim 6: 

Buteau further teaches wherein the application architecture component defines an application software 
portfolio and integration relationships for the manageable entities of the business (column 21, line 49 - 
column 22, line 14). 
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Regarding Claim 7: 

Buteau further teaches wherein the technology infrastructure architecture component enables access to 
information and, geo-structural layouts for the existing and future information technology (column 17, line 
38 -column 22, line 62). 



Regarding Claim 8: 

Baudoin further teaches wherein the security architecture component describes how security measures 
fit into the overall architecture of the business to meet security objectives of the business (Abstract; 
Figure 4). It would have been obvious to one of ordinary skill in the art at the time of the invention to 
incorporate a security architecture in order to protect the information and practices of an enterprise. 



Regarding Claim 9: 

Buteau further teaches wherein the enterprise information technology management framework 
component provides existing and future information technology services and products, management of 
the services, information technology systems and network management, and enterprise information 
technology management organization capabilities, competencies, skills, and performance models 
(column 6, lines 29-47). 



Regarding Claim 10: 

Buteau further teaches further comprising: decomposing, by the computer, the manageable entities so 
that each manageable entity has a relative independence from other manageable entities but is in context 
with the overall enterprise architecture (column 5, lines 52-62). 



Regarding Claims 20 and 21 : 

Buteau does not teach analyzing industry benchmarks relating to information technology practices, 
wherein generating the plan is further based on analyzing the industry benchmarks relating to information 
technology practices. However, Ruffin discloses [a]n excellent source of this and other benchmark which 
are well known to those skilled in the art may currently be found on the Internet's World Wide Web at the 
universal resource locator (URL): as.ideascp.com presented by Ideas International Corporation (column 
18, line 29 - column 19, line 31). 

Likewise, Baudoin discloses that [t]he SMA [Security Maturity Assessment] may also be used for the 
purpose of meeting a certain industry standard or reaching a goal established through analysis of the 
competition's security capabilities (column 52, lines 54-57). Therefore, it would have been obvious to one 
of ordinary skill in the art at the time of the invention to incorporate industry benchmarks when 
considering information technology for an enterprise in order to maintain competitiveness. 



6. Claims 12-19 are rejected under 35 U.S.C. 103(a) as being unpatentable over Buteau et 
al., U.S. Patent Number 6,442,557 B1 (hereinafter Buteau) in view of Baudoin et al., U.S. Patent 
Number 7,290,275 B2 (hereinafter Baudoin) and further in view of McKenna et al., U.S. Patent 



Application Publication Number 2004/0010772 A1 (hereinafter McKenna). 
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Regarding Claim 12: 

Buteau teaches a computer readable medium (column 4, lines 48-63) including code for modeling 
integrated business and information technology frameworks and architecture in support of a business, the 
code executable on a computer to: 

receive data associated with manageable entities of the business and existing information technology 
supported by each manageable entity (column 1 , line 58 - column 2, line 24; focuses on the logical 
dependencies between an enterprise and its technologies. ..a wide variety of information about the 
current enterprise architecture must be collected and analyzed... answer a wide range of strategic 
questions about the current state...; column 2, lines 53-63); 

generate an overall architecture defining how manageable entities of the business relate to one another 
and to the existing information technology (column 2, lines 53-63; entities of the work flow model, the 
information model and the technology model are linked defining relationships...; column 5, lines 43-51), 
the overall architecture including: 

a strategic business plan component providing context and guidance that drive definition of business 
functions, processes, systems, and organization (column 1 , lines 58-67; column 1 1 , line 59 - column 12, 
line 32; column 20, lines 62-66); 

a business architecture component reflecting what the business does in the present as well as in the 
future to accomplish particular business requirements (column 2, lines 14-17); 

an information architecture component representing what information is to be delivered to individuals 
across the business (column 15, line 24 - column 17, line 37); 

an application architecture component supporting business process execution and information flow 
(column 21 , line 49 - column 22, line 14); 

a technology infrastructure architecture component supporting execution of activities and defining what 
information technology components are needed to enable access to information (column 17, line 38 - 
column 22, line 62); 

an enterprise information technology management architecture component dealing with business and 
organizational management of providing information technology services and products as well as 
systems, network, and element management (column 6, lines 29-47); 

generate a plan for implementation and deployment of future information technology among the 
manageable entities pursuant to the components of the overall architecture in response to how the 
manageable entities relate and to the existing information technology (column 5, lines 21-42; column 6, 
lines 6-39), 

Buteau does not explicitly disclose the plan including a future security architecture based on the future 
information and a transition between a current security architecture and the future security architecture, 
wherein each of the current security architecture and future security architecture includes a corresponding 
set of a security objective and a mix of security measures. 

Baudoin teaches a security architecture component describing how security measures fit into the overall 
architecture of the business to meet security objectives of the business (Abstract; Figure 4). Baudoin 
further discloses that the security assessment matrix may be used as a list of recommendations to detail 
how the organization may attain its information security goals (column 51 , line 50 - column 52, line 57). 
Setting objectives and determining measures to achieve the objectives are old and well-known for an 
enterprise. Buteau teaches an objective to [pjrovide for the representation of planned or possible future 
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architecture and to [ejxtend gracefully to encompass alternative (non-TAFIM) or future perspectives on 
technologies... with a consideration to technology security (column 5, line 21 - column 6, line 48; Figure 
7). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to 
modify the invention of Buteau with that of Baudoin to consider security objectives and security measures 
in order to meet the set objectives. 

And, McKenna discloses detailed transition and contingency plan sign-off 850 is provided for ensuring 
that a plan is in place to transition from the present system to the new system, which includes a design 
security profiles sign-off 856, and... a design security architecture sign-off 866 ([0082]-[0084]). Buteau 
discloses considerations of technology security (column 5, line 21 - column 6, line 48; Figure 7). 
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to 
incorporate the security architecture plans and transition phase in order to protect the information of an 
enterprise and to ensure a smooth transition. 



Regarding Claim 13: 

Baudoin further teaches wherein the security architecture component includes security and business 
continuity requirements (column 12, Implications for business continuity plans...; column 25, Business 
Continuity Arrangements.. .), 

an information security view (column 28, Security of exchange of data...; column 36, Validation control 
while data input...), 

an application security view (column 29, Business Requirements for Access Control .. .application access), 

a security infrastructure view (column 9, Information Security Infrastructure...), and 

an information security administration/management/training view (column 10, Information security 
education and training; column 16, User Training...; column 26, Procedures for reporting and recovery...; 
column 30, User Access Management...). 



Regarding Claim 14: 

Baudoin further teaches wherein the information security view is responsible for supervision of data within 
the overall architecture of the business (column 28, Security of exchange of data...; column 36, Validation 
control while data input...). 



Regarding Claim 15: 

Baudoin further teaches wherein the application security view is responsible for the supervision of 
applications within the overall structure of the business (column 29, Business Requirements for Access 
Control .. .application access). 



Regarding Claim 16: 

Baudoin further teaches wherein the security infrastructure view is responsible for supervision of an 
infrastructure within the overall architecture of the business (column 9, Information Security 
Infrastructure...). 



Regarding Claim 17: 

Baudoin further teaches wherein the information security administration/management/training view is 
responsible for managing access and within the overall architecture of the business (column 10, 
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Information security education and training; column 16, User Training .. .; column 26, Procedures for 
reporting and recovery .. .; column 30, User Access Management...). 



Regarding Claim 18: 

Baudoin further teaches wherein the security and business continuity requirements provide inputs for 
implementing information security within the overall architecture of the business (column 12, Implications 
for business continuity plans...; column 25, Business Continuity Arrangements...). 

Regarding Claim 19: 

Buteau further teaches wherein the code is further executable to: graphically displaying the overall 
architecture of the business; graphically displaying how the future information technology is to be 
implemented and deployed within the overall architecture in response to the generated plan (column 3, 
lines 57-67; column 5, lines 21-42; column 6, lines 6-39). 

Conclusion 

7. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as 
set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing date 
of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to DEBRA ANTONIENKO whose telephone number is (571)270-3601 . The 
examiner can normally be reached on Monday through Thursday, 7:00 AM to 5:30 PM, EST. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Janice Mooneyham can be reached on 571-272-6805. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

DA 

/Janice A. Mooneyham/ 

Supervisory Patent Examiner, Art Unit 3689 



